MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkyLock

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6
SHA3-384 hash:	0f10c5f923162b54685ae99b6e4a1b5d96bfea5171946de645fdaf6e5c52dce0b268a28fa03bdd835a70a49be03455e3
SHA1 hash:	62b33edc9682bc780bc68d34ae7b19eaf429e42d
MD5 hash:	60ed30bea0f9e2db5cc1f45241c7473c
humanhash:	mobile-johnny-angel-mexico
File name:	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.bin
Download:	download sample
Signature	DarkyLock Create hunting rule
File size:	1'598'976 bytes
First seen:	2022-07-16 16:52:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep	49152:Dn3kKc0rJdjgqsLqf3ZfM0Pa5kLLcatsXkjbGDGe0VM:D3k1nkLiDxL
Threatray	2'075 similar samples on MalwareBazaar
TLSH	T12A759E13B29511F9C06AC1788BA75152E971BC510B34BADF17A077262E32FE06F3DB26
TrID	73.9% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 3.9% (.EXE) Win64 Executable (generic) (10523/12/4) 2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.0% (.FON) Windows Font (5545/9/1)
File icon (PE):
dhash icon	d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter	Arkbird_SOLG
Tags:	Darky Lock DarkyLock exe Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

576

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ransom.zip

Verdict:

Malicious activity

Analysis date:

2022-07-16 19:31:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d2b6d5ee-8b53-4946-8285-7225342adb07

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Babuk

Link:

https://www.capesandbox.com/analysis/291242/

Detection(s):

Win.Ransomware.Packer-7473772-1

Win.Tool.Binder-9794371-0

Win.Trojan.Binder-6

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Searching for the window

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Creating a file

Changing a file

Launching a service

Creating a file in the mass storage device

Deleting volume shadow copies

Forced shutdown of a browser

Encrypting user's files

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26374/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6f62eaf9-28f8-4ec4-9f16-c4a424de122e

Result

Threat name:

Metasploit

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1033936

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6/

Threat name:

Win32.Trojan.VBinder

Status:

Malicious

First seen:

2022-07-05 23:36:00 UTC

File Type:

PE (Exe)

Extracted files:

558

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7qunf2xod7juc37d4dgum2o7hlaxrrlx4oumhbvryngdcrvpxdla._file

Verdict:

malicious

Label(s):

cobaltstrike

DarkyLock

25835a890a218fd26bfd8b23696576402b5eb8a4c9af4a51529e14c4f00a9cce

DarkyLock

341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

DarkyLock

393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

DarkyLock

566c7dd77180ac1c888ea2b938d4ce67ad6f39c08b2fe6681ef8a8468da435e4

DarkyLock

+ 2'065 additional samples on MalwareBazaar

Result

Malware family:

lockbit

Score:

10/10

Tags:

family:lockbit ransomware

Link:

https://tria.ge/reports/220716-vdzpkadhdq/

Behaviour

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Enumerates connected drives

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Modifies extensions of user files

Deletes shadow copies

Lockbit

Unpacked files

SH256 hash:

9e67a1c67e3768e7f1f5fc4509119d1999722c6fc349a6398c9b72819e6ebe8d

MD5 hash:

ed48abb49065d2fb387dbf34b19516e1

SHA1 hash:

b4a1f40dcd036ce38ed4cd80561c63849bf14ce5

Detections:

win_babuk_auto

Link:

https://www.unpac.me/results/217a46d6-0906-474f-be8f-31163f3114f1/

SH256 hash:

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6

MD5 hash:

60ed30bea0f9e2db5cc1f45241c7473c

SHA1 hash:

62b33edc9682bc780bc68d34ae7b19eaf429e42d

Link:

https://www.unpac.me/results/217a46d6-0906-474f-be8f-31163f3114f1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_Babuk Create hunting rule
Author:	ditekSHen
Description:	Detects Babuk ransomware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	WIN_SHADOW_UNPACKED Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/291242/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample